On Wed, 20 May 1998, Balan Sinniah wrote:
>
> I am writing a server program where it should be able to verify the user
> name and password. This program will be compile and run under the root
> directory. Any client who is trying to send the user id and password to
> the server should be veryfy by
> this program. I have try my very best to do it but yet I couldn.t find
> the solution. Can anyone help me?
1. Does your system have shadowed passwords? (i.e. do you have an
/etc/shadow file, and x as password in /etc/passwd). If so, the program
should be run as root.
2. This is horrible from the security point of view. If one knows that a
user has an account on that machine, she might try to guess passwords.
3. What exactly is the problem? I don't quite get it. Verifying the
password? This should be simple, if you use crypt(3). Retrieve the
encrypted password from the database, crypt the supplied password using
the crypted password as salt (in fact only the first two bytes, but crypt
will ignore the rest, so it's safe to pass the encrypted password as a
salt, and easier), and compare the result with the crypted password.
If you use crypt_md5, you should grab the sources for crypt_md5
(tip: md5 passwords begin with $1$).
4. If you run any form of RedHat linux, you should try to do it via PAM,
it's safer, and it's nicer. Just learn the PAM interface, and write the
client.
Best wishes,
Mihai
Mihai Ibanescu Dynamic Network Technologies
http://sysadm.dntis.ro/~misa Moara de Foc 35, et. 7, 6600 Iasi
[EMAIL PROTECTED] tel. +40-32-252936
